Making the World Safe for Information

With some 32,000 employees, offices in 150 cities worldwide, and annual revenues of $4 billion, Science Applications International Corporation (SAIC) is the US's largest employee-owned high-tech research/engineering firm. The company provides information technology expertise and systems integration services to major clients worldwide. In 1995 SAIC purchased Network Solutions (the major Internet domain name registrar), and in 1997 it acquired Bellcore, the research arm of the US regional Bell operating companies. SAIC is online at http://www.saic.com/. In March, Computing Japan spoke with SAIC's James R. Swinney (Business Development Manager, Center for Information Protection) and Nicholas M. Nahas (Director, Japan Business Initiatives). interviewed by Wm. Auckerman Tell our readers a bit about SAIC's information security services. James Swinney: I like to describe [our services] as industrial-strength information protection, from consulting and front-end assessment to engineering or reengineering a company's architecture. We like to come in and prevent problems. We typically get involved in difficult engineering problems rather than simply information protection; the more difficult the problem, the better we like it. We have developed some very innovative, world-class applications for customers around the information protection problem. We also offer an open source monitoring service, called DETECT. Essentially, we're out on bulletin boards and participating in various electronic media looking for information which would indicate that a client company is a target, and provide appropriate notification. Then there is REACT, which is a 24 [hour] by 7 [day] incident response service. Our people are skilled and trained to perform the immediate actions steps to deal with an information protection crisis. I'm talking cyber-extortion, industrial espionage, monetary theft, theft of intellectual property, vandalism, malicious destruction of data... you name it. We also keep customers apprised of the threats and vulnerabilities that they are likely to see. And because we're out participating and developing information about threats all the time, as part of our DETECT service, we're in a good position to stay up with the "state of the hack," as it's called. Who are the main clients for these services? Nicholas Nahas: We work with most of the large financial institutions around the world; I can't name them because we have nondisclosure agreements with them. And locally, we've recently begun working with several major Japanese organizations. We expect that to grow exponentially. Swinney: [We have] clients all over the world. Financial clients are probably 60% to 70% of our business -- banks, insurance companies, brokerage houses, investment management companies.... But we also include pharmaceuticals, oil and gas, manufacturing, and the entertainment industries. The common thread obviously is networks and systems, and intellectual property and corporate reputations. Our business is exploding. Is the increased popularity of electronic commerce contributing to this? Swinney: No, at this point it is more a concern about the security of the computer systems. SET itself is a secure protocol, but what's to stop a fraudulent transaction from being initiated in a legacy system, and passing completely encrypted and legitimately through the SET channel? I would argue that the first thing a company needs to do is make sure it has good, strong information protection policies in place, and that it is doing the things necessary to secure its infrastructure. The worst thing a company could do is to develop its SET or e-commerce capabilities but have an insecure legacy environment in place that someone [could use] to start moving money. We've been involved in some very serious situations where this medium was being used to steal from companies. That's why they call us. Nahas: The real reason for the increase [in business] is a growing awareness on the part of companies that there is a problem. Japan is a very secure country, and has been; it has that aura about it. But as soon as you hook up to the Internet, or the outside world... there are those out there who don't have the same standards, shall we say, as the Japanese do. They'll take an opportunity. Over the past month or two, the Japanese press has started pointing out break-ins here, and break-ins there, and situations that even six months ago you wouldn't even have heard about -- either because they weren't happening, which is probably not true, or because nobody was publicizing them. The increase in business is due to a better awareness of the potential problem. And remember that whatever is being reported is only a small fraction of what we believe, and in some cases know, is going on. The financial loss that a company might incur from a break-in is nowhere near as bad as the loss of prestige and customer confidence that it would incur [from public disclosure]. Reputation is intangible, but in many cases more important. Swinney:Yes, harm to their reputation is by far the more serious problem for many companies. The financial losses will be covered by insurance, but the harm to their reputation.... So, information protection is primarily a connectivity issue? Swinney: Yes, that's driving this whole phenomenon. I don't believe there's any larger percentage of bad people in the world than there was at any other time. It's just that with global connectivity, time and space has collapsed; you can be in Latvia, or in St. Petersburg, or in Albania, and you're potentially at anyone's doorstep in any first world country. E-commerce will come, but security is one of those issues that's got to be dealt with before people feel safe about using the medium -- giving someone your credit card number, or a digital signature, or whatever. I assume that most big companies have information protection policies in place, but what about smaller companies? Nahas: I'm not sure we'd totally agree with your assumption.... Swinney: You'd be surprised. You can have a great policy, one that calls for eight-character passwords of random characters. Then we'll come in and... put them through a crack program that will sniff a significant percentage of passwords. So we find that even if there is a good policy in place, it's not being enforced. It's my belief -- and we've seen it both in the Japanese market and in the US market -- that a good password policy, well enforced, with changing passwords on some reasonable basis, is a very good hurdle to have in place. It isn't the be-all and end-all, but it's a good start. We see a particularly acute problem in Japan. It's much worse here in the password area than we've seen in other places: trivial passwords that can be broken very quickly with any kind of cracking program. It's a serious issue. In terms of general security policies, how do Japanese companies compare with US companies? Swinney: I think it would be fair to say that, in general, there is much less of a recognition here -- not only in the policy area, but in a general awareness of the security that the electronic medium requires. There is a bit of a cultural myopia, so part of what Nick and I do over here is to put on the black hat and say, "Do you know that it's a bad world out there?" It's a little bit of a scare sale; we talk about the threat and about what could happen. My belief is that most Japanese systems were designed making incorrect -- or perhaps I should say old -- assumptions about how good people are, how trustworthy they are. And those assumptions, given other weaknesses in the networks, lead to particularly serious vulnerabilities. We see problems here that we haven't seen in US systems for several years. There is also a general inattention to information protection policy standards. It's a Japanese problem and, I think, a national issue. It's one that hopefully will be addressed in time, but right now it's a tremendous opportunity for a company like us. That's why we're here. Are there any particular problems here in Japan you could elaborate on? Swinney: I don't want to get into that, because I think it could be used against some companies here. Let's just say that there are vulnerabilities taken for granted over here that are typically dealt with in the US. Companies in Japan just are not that attentive to security, probably because they haven't had a problem yet. There are stock things that are well known -- NT vulnerabilities, for example -- but Japanese companies generally are not as vigilant about keeping up with security patches for known vulnerabilities. They just are not as attentive, and we believe that it eventually will come back to bite them. What is the greatest type of security danger that a typical midsize company is likely to face? Swinney: In our experience -- and other research also points this out -- the biggest threat to most companies is from inside the company. It could be a contract programmer who leaves the company but his login permissions are not shut off for months, and he's got a burr under his saddle about the way he was treated, or maybe a network administrator who is fired and leaves a logic bomb behind. The lion's share of problems are inside problems. To a much lesser extent it's the sophisticated external hacker, or the high school kid who's in for kicks to see what he can do. But security tends to be perimeter focused; Japanese systems are very trusting inside. Is the cost of implementing security features an issue? Swinney: No, it's the myopia problem rather than the financial issue. Many companies have sophisticated systems, but either they have not turned on the security features, or they are not minding the store. In other words, access controls may be turned on, but nobody is looking at the logs, or password policies are not being enforced. It's the mindset. Nahas: The cost of fixing the problem is relatively inexpensive; it's more procedural cost and taking advantage of what's already there -- policy enforcement. Most companies don't need to go out and buy a whole new system, or even major hardware components to fix the system. The cost of fixes is negligible compared to the unknown of not checking, or of finding a problem the hard way. Swinney: To get a handle on where you are securitywise is really not that expensive. What has been SAIC's presence in Japan so far, and what are your plans? Nahas: SAIC has been in Japan for about 10 years, but for the majority of what we have done up to this point, the actual work has been done in the US and then provided to our clients and our customers over here. We are now in the process of opening up a KK company in Tokyo, to have an on-the-ground, full-time presence to expand our capabilities for our customers here. We've spent the last 10 years building relationships; now we're ready to start exploiting those relationships for the benefit of our customers. We plan to expand very quickly and very soon; within the next six months we will have a major presence here. Do you find that cultural differences require you to sell yourself differently here? Swinney: Yes; we feel differently going in here. It requires either a pre-sell, or a longer lead time, to really develop the need awareness. It's a little bit like pulling teeth. Some Japanese companies are very courteous, but they don't recognize there's any problem. It is a little different over here than it is in other places. I have clients on three continents, and Japan is unique in this regard. Do you have any final advice for Computing Japan readers? Nahas: Many people think that if you're not a financial institution, you don't have to worry about security. But protecting proprietary information, in many cases, is more important than financial losses. Even if you think you don't have anything to steal, someone may just want to disrupt your business; that's a financial loss, even though money isn't going out the door. If you've got a network, it doesn't make any difference what kind of company your are -- you need to make it secure. Back to the table of contents